Ruby's XML document parsing module (REXML) was prone to a denial of serviceattack via XML documents with large XML entity definitions recursion. Aspecially-crafted XML file could cause a Ruby application using the REXMLmodule to use an excessive amount of CPU and memory. (CVE-2008-3790)

An insufficient "taintness" check flaw was discovered in Ruby's DL module,which provides direct access to the C language functions. An attacker coulduse this flaw to bypass intended safe-level restrictions by callingexternal C functions with the arguments from an untrusted tainted inputs.(CVE-2008-3657)

A denial of service flaw was discovered in WEBrick, Ruby's HTTP servertoolkit. A remote attacker could send a specially-crafted HTTP request to aWEBrick server that would cause the server to use an excessive amount ofCPU time. (CVE-2008-3656)

A number of flaws were found in the safe-level restrictions in Ruby. Itwas possible for an attacker to create a carefully crafted malicious scriptthat can allow the bypass of certain safe-level restrictions. (CVE-2008-3655)

A denial of service flaw was found in Ruby's regular expression engine. Ifa Ruby script tried to process a large amount of data via a regularexpression, it could cause Ruby to enter an infinite-loop and crash.(CVE-2008-3443)

Users of ruby should upgrade to these updated packages, which containbackported patches to resolve these issues.

4. Solution:

Before applying this update, make sure that all previously-releasederrata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to usethe Red Hat Network to apply this update are available athttp://kbase.redhat.com/faq/FAQ_58_10188